ESET Threat Blog

Even in Europe, we have a rough idea of what Thanksgiving is about, though we don't celebrate it at the same time or in the same way. However, Black Friday and Cyber Monday are rather less well known outside the US.

Since Randy has already blogged on Cyber Monday and its security implications at http://www.eset.com/threat-center/blog/2009/11/19/is-cyber-monday-the-end-of-shopping-as-we-know-it, I took the opportunity to air a slightly more Eurocentric view at http://blog.isc2.org/isc2_blog/2009/11/they-call-it-cyber-monday-but-tuesdays-just-as-bad.html.

While you're away from this blog site, you might also be amused, in a cynical sort of way, by the fact that Qinetiq and New Scientist have solved the virus problem once and for all: http://avien.net/blog/?p=92. I believe they'll be starting on solving the Millennium Bug issue any year or now.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/
 

Cyber Monday is the Monday that follows Thanksgiving in the USA. This is said to be the busiest online shopping day of the year. Does that mean that there is more risk of cybercrime? The answer is yes and no. There is more risk simply because more people are shopping online so malicious web pages, fake holiday specials, and other attractions are bound to get more traffic.

 In reviewing our threat statistics for the past couple of years what we discovered was that we do not see an increase in the number of threats, so as an individual your risk is pretty close to the same as any other time of year, but that means there is some risk and there are steps you can take to minimize your chances of becoming a victim of cybercrime. Here are a few tips to consider.

1)    Beware of the unsolicited emails for promotions that seem too good to be true. Things like “We’ll give you a free copy of Windows 7 for filling out this survey”, or “Get $100 for filling out this survey”. Often times these are ploys to get your credit card information and other personal information. It may be for the purpose of sending you spam or it may be for financial or identity theft.

2)    Watch out for anything related to banks, PayPal, and other online financial providers. NEVER click on a link in an email having to do with financial institutions. For some really simple tips on protecting yourself from phishing see my “Antiphishing Made Easy” tip on the San Diego Chamber of Commerce web site at http://www.sdchamber-members.org/TechTip.htm.

3)    Shop at reputable websites. Do not believe things like a BBB logo, check with the Better Business Bureau to see that they say the company is a member. It’s best if you know somebody who has done business with the company before. Crooks will post fake positive reviews of their web sites

4)    When you go to enter payment information, make sure the address in the browser starts with https, and not just http. Https encrypts the information, such as your credit card number. It isn’t enough to see the https, the bad guys can use that too, but you want to use a reputable site and verify they are encrypting your data.

5)    You might want to consider getting a credit card with a low spending limit and using that exclusively when you shop online… especially if you can’t resist that offer that is too good to be true!

6)    Do not click on the links in emails. If you want to shop at Fry’s online, type in www.frys.com and find the item you are looking for.

Following these tips will greatly improve your odds of safely shopping on line on Cyber Monday and every other day of the year.
 
If you believe that you have become a victim of a phishing attack, contact your bank immediately.

Randy Abrams
Director of Technical Education

Recently I blogged (Once Upon A Cybercrime…) about a survey ESET commissioned which indicated that Mac users are victims of cybercrime as often as PC users. This finding was not the main point of the survey, but was an interesting finding. The survey is titled “Securing Our e-City National Cybercrime Survey” and was commissioned to gather more information about how we can better target education as part of our Securing our e-City project. You can learn more about Securing Our e-City at http://securingourecity.org/

I want to share with you some additional findings of the study over the coming days and weeks. Extrapolating the losses of those surveyed it appears that cybercrime has cost Americans 11 billion dollars.

First I’ll give you a breakdown of the educational levels of our survey participants.

5% had less than a high school education. 25% had a high school education. 29% had some college. 27% had a college degree. 14% had advanced degrees.

Now let’s look at the victimization rates.

2% of those with less than a high school education had been victims
2% of those with a high school education had been victims
9% of those with some college education reported being victims
7% of those with a college degree reported being victims
18% of those with advanced degrees reported being victims

Given this data, the logical conclusion is that the number one way to avoid cybercrime is to avoid college!

But seriously, I don’t really think it is education that makes one stupid, or makes them a victim. A more likely explanation is that those with higher earnings make more attractive targets. It is also quite possible that those with higher education feel they are smart enough to avoid being tricked. A PhD in psychology does not translate to internet security knowledge. A degree in dentistry does not afford a higher level of computer security knowledge. Even people with computer science degrees often fail to learn enough about computer and Internet security.

I am a firm supporter of education, but when it comes to computers there is specific education required if you wish to avoid becoming a victim of cybercrime. Knowing tips and techniques, such as I describe at  AntiPhishing Made Easy  can make a big difference. Education won’t always protect you. When a TJ Maxx or Heartland compromises your credit card information, your computer savvy isn’t going to help. When you receive and email claiming that information is needed to secure your web mail account, then security knowledge is quite useful. When something tells you that you need a codec to view a movie, just a little bit of security knowledge protects you. When you see something that says you need a new flash player, knowing to go to Adobe for the update and not accepting it anywhere else on the web is what is going to prevent you from infecting your computer.

Yeah, you might have a lot of college education, but if you do, you probably have more money and are a much more attractive target to the cyber criminal. If you have more to lose then you have more to gain by becoming a savvy computer user.

Randy Abrams
Director of Technical Education
 

I learned a new word today. "Glurge", according to snopes.com, an essential resource when checking the validity of dubious chain letters, glurge is the sending of

inspirational (and supposedly true) tales … that often … undermine their messages by fabricating and distorting historical fact in the guise of offering a "true story".

I came across this definition while checking on the provenance of a number of chain letters that have crossed my path in the past week or two and that I've already described elsewhere. (I'll be returning to them in more detail shortly here, though, probably as a paper rather than as a blog.)

The particular example of glurge listed by snopes.com at http://www.snopes.com/glurge/daughter.asp is one of several chain letters I've seen that require me to forward chain letters in order to prove that I care about the fate of English troops in Afghanistan. (Since I do, in fact, have a close relative serving in the military, I find that somewhat offensive, and I think he would too.)

And thereby hangs a tale. Randy Abrams and I wrote a paper for this year's Virus Bulletin conference called "Whatever happened to the unlikely lads? A hoaxing metamorphosis" that traces the evolution of hoaxes from virus scare stories to emotional blackmail as the social engineering mechanism for persuading people to disseminate hoaxes and semi-hoaxes. If you think that chain letters stopped being an issue when people finally realized that there is no "Good Times" virus and that the SULFNBK hysteria was just that, it might just change your mind. You can find it on the ESET white papers page at http://www.eset.com/download/whitepapers/Harley-Abrams-VB2009.pdf.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

(Much) earlier this year, Randy posted a blog on some email he received about his inclusion into the 2009/2010 Princeton Premier Honors Edition Registry (http://www.eset.com/threat-center/blog/2009/01/09/what-an-honor).

I was reminded of it (yes, Randy, someone does read your blogs ) when I got a couple of emails telling me I'd been nominated for an entry into the Marquis Who's Who In America. In fact, I assumed the first one was spam at best and ignored it, but when I got a reminder, I checked back to Randy's blog to see if it was the same publisher, which it apparently isn't. In fact, although there are indeed lots of "Who's Who" vanity scans, Who's Who In America seems to have some legitimacy, according to Wikipedia (http://en.wikipedia.org/wiki/Marquis_Who's_Who), though since some of the information in that article seems to be quoting the Marquis web site, the usual caveats about wikipedia accuracy apply, only more so.

Anyway, since I'm not a "living" American, don't live in America, and some days I'm not even sure I'm a "living" Englishman, I don't think I'll be filling in the form (and I'm afraid I don't have Sting's email address). I'd love to know, though, who nominated me (or is that just a standard distractor from the fact that they're just raiding spammers' address lists, like everyone else?)

If it was one of the dozen or so people who buy my books (or maybe one of the slightly larger volumes of people who download them illegally!) , thanks anyway.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

Verizon has just done something rather brave. The company has issued a report on "ICSA Labs Product Assurance Report" (http://www.icsalabs.com/sites/default/files/WP14117.20Yrs-ICSA%20Labs.pdf) that talks about the difficulties that most products have in meeting the requirements of ICSA Labs certification.

Why is it brave? Because those companies provide ICSALabs with a healthy income, and might therefore be a little upset to have it suggested that some of them need to be nursed through the certification process?  Well, I don't think security companies see it that way, though you might think that was the whole point, on a superficial reading of some of the news items inspired by this item.

John Leyden says in The Register that "Most security products not up to scratch. But most of all, you've let yourself down" (http://www.theregister.co.uk/2009/11/17/security_kit_testing_fail/)

Dan Raywood says in SC Magazine that "Over three quarters of security products fail an initial test and do not adequately perform." (http://www.scmagazineuk.com/over-three-quarters-of-security-products-fail-an-initial-test-and-do-not-adequately-perform/article/157883/)

Thomas Claburn says in InformationWeek that "Most Security Products Fail Initial Certification Tests. A study based on the testing of thousands of security products over 20 years finds that most require several rounds of testing before achieving certification." And I think that's closer to the real process
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=221800223&cid=alert_art_sec_d_m

To look at it the issue in terms of short term failure would be to miss the point, though. There has been a certain amount of criticism of ICSA Labs, among others, in the past,  because it gives companies with products under test latitude when it comes to re-testing and re-certification. (And that's where the bravery comes in…) That latitude runs contrary to the way that some testers work, stress-testing the product under test by "tricking" it into demonstrating its weaknesses rather than coaxing it into demonstrating its capability. [1] But that's precisely why it's a Good Thing.

ICSA Labs certification isn't just about saying whether a product is "good" or "bad": I'd argue that any detection-oriented test that is entirely focused on that is probably not fully aware of the implementational difficulties and margin for error in even the best detection testing in the current threatscape. The value of the ICSA Labs certification process lies not just in the fact that it's tough (and it is: apparently, only 4% of tested products pass during the first testing cycle) but in the fact that it's a collaborative process that allows and encourages the vendor to work on the product until it passes, and then requires us to maintain those standards over time.

Read the report: it's about a lot more than product failure, and I can think of other testing and certification labs could learn from it….

[1] "Antimalware Evaluation and Testing" (Harley and Lee) in "AVIEN Malware Defense Guide" (Ed. Harley, Syngress, 2007)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Cyberwar, cyberterrorism, cybersigh…(gosh, that's almost a palindrome…)

However, if you get past the cyberbuzzwords, there are some interesting articles around at the moment.

On the Infosecurity Magazine, there's an article called "Cyberterrorism: A look into the future", contributed by the (ISC)2 US Government Advisory Board Executive Writers Bureau.

 http://www.infosecurity-magazine.com/view/5217/cyberterrorism-a-look-into-the-future/.

More thoughtful than you might expect from an article with the overhyped word cyberterrorism in its title.

You might also find this interesting: "The Drums of Cyberwar" includes a quote from our own Randy Abrams, among others, and considers the question of governmental preparation for cyberwarfare.
http://www.technewsworld.com/story/68669.html?wlc=1258483867

A few years ago, I skimmed through a book called "The Next World War" by James Adams (Random House, 1998). At the time, I was somewhat irritated by some technical inaccuracies in my own specialist areas, but it occurs to me that it might be the right time to see how it stacks up against the 2009 cyberthreatscape (sigh…). I'll report back when I've had the chance to revisit it.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

After a few years in the security business, it's easy to get a bit too used to the background noise, and forget that not everyone is familiar with concepts like phishing (see Randy's recent blog at http://www.eset.com/threat-center/blog/2009/11/16/once-upon-a-cybercrime%e2%80%a6), or botnets ("whatever they are", as my brother said to me quite recently), or money mules. I've written about muledriving quite a few times in the past ten years, so it comes as a bit of a shock to realize that according to a survey by GetSafeOnline.org, nine out of ten people don't know what a money mule is. Well, less of a shock now that I've seen the CERC survey that Randy's blog cites.

According to the song by Johnny Burke and Jimmy Van Heusen, a mule is an animal with long funny ears, a brawny back, and a weak brain. In the twilight world of drugs, phishing and money-laundering, the term has more sinister connotations. 

A money mule may be a courier, like the mules we hear of in drug-trafficking, but in the phishing world, is likelier to be someone whose bank account is used to launder money. When a phisher steals money from an account in another country, it can be difficult for them to transfer it across international borders. It’s much easier for them to recruit “mules” in the same country (and even using the same bank) as the victim. The money is transferred to the mule’s account, and he in turn forwards the money overseas using a wire transfer service, having deducted his commission. Not only does this make the transfer easier, it can make it harder for police forces to trace the gangs. A mule may also receive goods ordered with a misappropriated credit card and sell them or forward them.

Muledrivers (the guys who recruit and direct money-mules) sometimes go to considerable trouble to make their recruitment emails and sites look genuine, and indeed sometimes go through genuine job-sites, so it's quite likely that some mules aren't aware that they're engaged in criminal activity. Unfortunately for them, when the police come knocking, it's more likely to be on a mule's door than the muledriver's.

None of this is particularly new – it's at least as old as phishing as we now understand it. But that doesn't mean it's not a major problem. According to Get Safe Online (The Blog), "At any given time, there are approximately 100 known mule recruitment sites targeting the UK, each of which may have lured in around 50 active mules. The risk is that by allowing their bank accounts to be used to receive and transfer illegal funds, mules are breaking the law – even if they don’t realise it."

I'm currently revisiting muledriving for a white paper. In the meantime, any recruiter who mails you apparently at random (the way that phishers do) is just using a spammer mailing list. Unpersonalized recruitment mails are bad karma. And anyone who's interested in recruiting you for your bank account is almost certainly a badhat. Impressive job titles like "finance manager" or "shipping manager" notwithstanding.

[1] "Stalkers on your desktop", in AVIEN Malware Defense Guide (ed. Harley, Syngress 2007): http://www.amazon.com/AVIEN-Malware-Defense-Guide-Enterprise/dp/1597491640

[2] "The Spam-ish Inquisition" (Harley & Lee, 2007): http://www.eset.com/download/whitepapers/Spamish_Inquisition.pdf

[3] "A Pretty Kettle of Phish" (Harley & Lee, 2007): http://www.eset.com/download/whitepapers/Pretty_Kettle_of_Phish.pdf

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Remember Microsoft Bob? It was a shiny new windowing system on top of a windows kernel. Now Google is announcing the imminent release of the Chrome OS which, according to the official Google blog http://googleblog.blogspot.com/2009/07/introducing-google-chrome-os.html is a new windowing system on top of a Linux kernel. So is it an OS or a GUI?

Chrome OS is certainly not what one would typically call an operating system, but perhaps Google is trying to redefine OS for marketing purposes. That might work, Google has some very talented marketing people, as well as talent in many other areas.

Don’t get me wrong, Chrome Os may end up being great, but a critical look at the blog reveals a lot of Google claims that simply aren’t necessarily entirely accurate.

Can you spot the hype and cut through it?

“the operating systems that browsers run on were designed in an era where there was no web. So today, we're announcing a new project that's a natural extension of Google Chrome — the Google Chrome Operating System. It's our attempt to re-think what operating systems should be.”

While Linux was designed when the web existed, it was written to be a clone of an OS designed well before the web existed. Chrome appears to be a Linux distribution, not a new operating system. Additionally, since Windows 95 Microsoft has been writing and releasing operating systems designed with the web in mind. Apple has been doing the same thing.

“we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates.”

This is interesting. Is Google really redesigning the security architecture of Linux? As vulnerabilities appear in the Linux kernel from time to time will they not have to be patched, or does Google mean that they will silently be updated regardless of the user’s desires? Additionally, malware is no longer limited to the operating system. Facebook worms, twitter worms, and other social networking malware will still be an issue.

Google isn’t the first company to bolt a GUI on an operating system and call it a new OS. Windows started as a GUI for MS DOS.

It will be interesting to see and play with Chrome, but I don’t think we will see a radically new operating system.

Randy Abrams
Director of Technical Education

 We came across an interesting test report at http://www.passmark.com/ftp/antivirus_10-performance-testing-ed2.pdf. Symantec commissioned a comparative performance test from Passmark. That is, a test measuring performance in terms of speed and resource usage rather than looking at detection rates.

Not surprisingly, Symantec came out very well overall, and deserves congratulations for demonstrating how far it's gone in addressing its reputation for slow and bloated software. Given that ESET Smart Security also came out rather well, it may seem churlish to raise objections: however, we did wonder about one of the test results. In the "Memory Usage While Idle" table, ESET's RAM usage is quoted as 31.7Mb, which is well below average and  less than 1/3 of the memory used by the most voracious RAM-eating product out of all the products tested. But Norton Internet Security 2010 apparently used only an impressive 10.85Mb, measuring with Process Explorer and Perflog++.

However, when we tried an alternative approach measuring commit charge, which we consider a more accurate measurement of a product's impact on the system, we found that Norton Internet Security 2010 increased the total system commit charge by 93 MB, whereas ESET Smart Security increased the total system commit charge by just 48 MB. The difference between the two methods is that commit charge measures the total amount of memory used by the system and how it increases when an application is running. Viewing the individual process memory consumption in Process Explorer does not expose all memory used by the application.

Which kind of proves that in performance testing,  there’s more than one way to skin a cat. Which skinning method you choose might depend on how sharp your knife is.

Andrea Kokavcova
Senior Marketing Research Analyst